LEGAL ISSUES

data mining: opportunities and challenges
Chapter XVIII - Social, Ethical and Legal Issues of Data Mining
Data Mining: Opportunities and Challenges
by John Wang (ed) 
Idea Group Publishing 2003
Brought to you by Team-Fly

What is legal and what is wise often are two different things. Given the rapid advance in technology, it is likely that laws to protect against abuses will not be able to keep up. However, there are existing laws that apply in specific situations, and IS professionals must be aware of these. Sadly, many of these issues are not brought up in formal IS education and training. It is important to remember that ignorance of the law does not constitute a defense in a court of law. Therefore, IS professionals must educate themselves concerning existing laws, and be aware of potential future regulation so that they not only prepare their systems for such regulation, but also do not contribute to the social pressure for further government-imposed restrictions, as shown previously in Figure 1.

Lawmakers show little interest in passing a comprehensive privacy law but rather legislate each information source separately. Table 3 provides a brief overview of U.S. Federal regulations that both protect privacy and provide circumstances under which it may be invaded. An interesting point to make is that, prior to September 11, 2001, if the USA Patriot Act of 2001 had been before Congress, it would have probably been considered too invasive. However, the 9/11 attacks have changed that perception and the need for privacy in terms of balancing it with the ability to eliminate terrorism. In the following section, a representative sample of Federal acts is discussed. A complete and thorough discussion of all regulations concerning data collection and use is beyond the scope of this chapter. We begin our examination of U.S. Federal regulations with the Fair Credit Reporting Act and end with a brief discussion of the USA Patriot Act of 2001. Afterwards, we briefly explore legal issues in jurisdiction outside of the United States.

Table 3: U.S. Federal Regulations that impact privacy (Adapted from Caudill & Murphy, 2000)

Laws Protecting Privacy

Act

Year

Description

Fair Credit Reporting Act

1970

Allows consumers to correct errors in their credit reports.

Privacy Act

1974

Government officials may not maintain secret files or gather information about people irrelevant to a lawful purpose.

Right to Financial Privacy Act

1978

Government officials need a warrant to obtain a bank's copies of checks.

Electronic Funds Transfer Act

1978

Banks must notify customers when disclosing records to third parties.

Privacy Protection Act

1980

Government officials are restricted in their ability to seize records of the print media.

Cable Communications Act

1984

Cable companies may not disclose choices consumers make or other personal information without consent.

Family Education and Privacy Right Act

1984

Government officials are restricted in their ability to reveal to third parties information gathered by agencies or educational institutions.

Electronic Communications Privacy Act

1986

Prohibits telephone, telegraph, and other communications services from releasing the contents of messages they transmit (only the recipient of the message can be identified).

Computer Security Act

1987

All government agencies develop safeguards for protecting sensitive data stored in their computers.

Video Privacy Protection Act

1988

Video rental companies may not disclose choices customers make or other personal information without consent.

Computer Matching and Privacy Protection Act

1988

Allows governmental officials to increase the amount of information they gather if the safeguards against information disclosure also increases.

Telephone Consumer Protection Act

1991

Prohibits telemarketers from using automatically dialing telephone calls or facsimile machines to sell a product without obtaining consent first.

Drivers' Privacy Protection Act

1993

Places restrictions on state government agencies and their ability to sell driver's license records.

Health Insurance Portability and Accountability Act (HIPAA)

1996

Designed to reduce inefficiencies in the healthcare industry by reducing paperwork, controlling abuse in the system, providing privacy protection for individuals, and ensuring health care coverage for even those with pre-existing conditions.

The Gramm-Leach-Bliley Act

1999

Financial institutions can share information with affiliate companies, and with nonaffiliated companies after giving customers the option to "opt-out" of certain disclosures.

Children's Online Privacy Protection Act (COPPA)

2000

Sets rules for online collection of information from children.

Laws Invading Privacy

Foreign Intelligence Surveillance Act (FISA)

1978

Provides law enforcement special authority when investigating terrorism or espionage.

Communications Assistance for Law Enforcement Act (CALEA) of 1994

1994

Guarantees law enforcement agencies access to telecommunications carriers' networks.

USA Patriot Act of 2001

2001

Enacted as a result of the September 11 attack on the World Trade Center and was signed by President Bush on Oct. 26, 2001. Grants law enforcement agencies the right to use Carnivore.

Fair Credit Reporting Act

Many people are concerned about using their credit card online for fear that their card information will be stolen. Another fear with the Internet is that a person's credit history can be easily accessed or obtained. With data mining, consumers are scared that their credit card information and credit history will become even more vulnerable. However, the Fair Credit Reporting Act (FCRA) of 1970 already protects consumers against illegal use of credit information:

"Congress passed the Fair Credit Reporting Act in 1970, in recognition of the fact that false or inaccurate information on a credit report can have serious (and embarrassing) consequences for an individual. The act regulates the kind of information that can appear in credit reports, allows individual access to their reports, and sets up a system for an individual to contest the contents of their credit reports." (Alley & Harvey, 1998 )

The FCRA applies to situations other than the loan or credit-application process, such as employer background checks, court records, and motor vehicle reports, anytime the data was provided in a consumer report by a consumer-reporting agency as defined by the Act.

Just about every aspect of the FCRA and the amendment (which went into effect in October 1997) can apply to data mining. If a company participates in data-mining activities, it must carefully review how it uses the information in regards to the FCRA or face potential lawsuits. A company must also be careful that the information it obtains through data mining is accurate. Privacy is protected by the FCRA to a certain degree. This act affects data mining when the organization selling or obtaining the information can be defined as a credit-reporting agency according the FCRA. The entire Fair Credit Reporting Act may be obtained at http://www.ftc.gov/os/statutes/fcra.htm.

Right to Financial Privacy Act

An individual's rights in guarding his or her financial information are protected by The Right to Financial Privacy Act of 1978. Most people are concerned about their financial privacy and believe it is imperative that federal law protects it. Because of this law, procedures must be followed by banks, credit unions, credit card companies, savings and loan associations, and other financial institutions before any information about you is given to a Federal agency. Protecting their financial information is probably one of the areas about which individuals are most concerned. They do not want others to store and/ or analyze this type of data. As technology becomes increasingly more sophisticated, data-mining techniques will challenge this privacy act and threaten the protection it currently provides.

Electronic Funds Transfer Act

The Electronic Funds Transfer (EFT) Act of 1978 was designed to give customers protection by assigning liability to banks that allowed electronic access to customer accounts. There are many benefits to both the bank and individuals from the use of EFT. This act also states that customers must be notified about third-party access to their information on electronic funds transfer, either at the time that the consumer contracts for electronic funds transfer or before the first transfer is made. ATM and debit cards have since flourished, and the flow of data and access to your finances worldwide has increased. By taking the liability off of the consumer, the Electronic Funds Act made it possible for consumers to feel comfortable using ATM, debit cards, and, more recently, electronic funds transfer to pay almost any type of bill.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act (ECPA) addresses the legal privacy issues involved with the use of computers and other new technology in electronic communications. This act updated 1968 legislation that clarified invasion of privacy with the use of electronic surveillance. This law was primarily aimed at preventing invasions of privacy by government. However, it has not been updated to reflect the technological advancements made possible through widespread use of the Internet. Technologies such as Carnivore collect more information than protected under the authority of this law.

Video Privacy Protection Act

The Video Privacy Protection Act of 1988 states that video store owners cannot divulge information about the videos rented or personal information about the consumers who rent them to the general public. This law was enacted to protect the privacy of consumers, in particular so that they would not be ashamed about or prosecuted for renting videos considered adult material. The beneficial result of this law is that people feel free to rent whatever they would like, without fear. Without this act, for example, homosexuals who are not public about their sexuality could fear that friends or employers could find out they are renting gay materials. This law protects them from such discrimination or public ridicule. Without this Act, individuals in high-profile jobs could reasonably fear their renting habits might be released.

Health Insurance Portability and Accountability Act (HIPAA)

The ability to compile, store and cross-reference personally identifiable health information easily is becoming technologically feasible. Unfortunately, patients must worry, and rightly so, about confidentiality. Furthermore, the healthcare industry is so competitive and medical information so valuable that information that should be shared often is not.

On August 21, 1996, U.S. President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is designed to reduce inefficiencies in the healthcare industry by reducing paperwork, controlling abuse in the system, providing privacy protection for individuals, and ensuring health care coverage for even those with pre-existing conditions. A provision of HIPAA required Congress to enact medical privacy protections by August of 1999. The law also included a provision that gave the Secretary of the U.S. Department of Health and Human Services (HHS) the authority to write medical privacy regulations if Congress missed its self-imposed deadline (Leahy, 2001).

Concerned about the loss of personal privacy and fear that if medical records were not protected from unauthorized disclosure, it would deter people from seeking medical treatment, Senator Patrick Leahy of Vermont, in March of 1999, introduced comprehensive medical privacy legislation entitled, the Medical Information Privacy and Security Act (MIPSA). However, it was not enacted and Congress missed the August, 1999 deadline specified in HIPAA. Therefore, in October 1999, President Clinton and Secretary Donna Shalala unveiled their medical privacy proposal.

The final ruling for the HIPAA was in April 2001 under President George Bush. Most covered entities have two years (until April 2003) to comply with the final revisions of this law. This final law requires that all health organizations including health care providers, insurers, and transaction processors come into compliance with HIPAA by the April 2003 date. . However, it does not cover health-oriented websites that may collect personal data.

Under this law, patients have the right to control how their personal health information is used and must be able to get access to their own medical records if desired. Of course, patients must sign a release before records can be given to any party. However, patients do have the right to limit or withdraw this release of information. Health care organizations are required to have written privacy procedures detailing how information is used and disclosed and are required to provide this information to patients upon request.

The Gramm-Leach-Bliley Act of 1999

The Gramm-Leach-Bliley Act became federal law in November 1999, and states were ordered to comply (although the law did not preempt states from adopting more strict privacy standards). In general, this law states that financial institutions can only share information with affiliates and nonaffiliated companies after giving customers the option to "opt-out" of certain disclosures. Personal information can only be shared only after a consumer has had an opportunity to opt-out. Therefore, organizations must notify individuals when they are planning to share private information outside the scope of typical financial transactions; e.g., selling it to others who plan on using it for data-mining purposes. Enforcement began July 1, 2001. When financial institutions sent out federally mandated privacy notices in the summer of 2001, only 2% to 3% of all consumers opted out (Thibodeau, 2002).

The privacy provisions of Title V of the Act apply only to non-public personal information about individuals who obtain financial products or services for personal, family, or household purposes, and not to companies or individuals obtaining products or services for business purposes (Hirsch, 2000). In addition, this law requires that both stored and transmitted information be encrypted if security cannot be guaranteed. The following federal agencies have responsibility for enforcing the Act: the Federal Trade Commission (FTC), the Department of the Treasury, the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Securities and Exchange Commission. "Because the Gramm-Leach-Bliley Financial Services Act opened the door for banking and insurance markets to enter one another's business, both industries were compelled to gain more information about their customers to cross-sell banking, investment and insurance services" (Ruquet, 2000).

The state of Vermont has taken a much stronger position than the Federal statute by requiring (as of February 15, 2002) financial institutions to acquire affirmative customer consent (opt-in) of its citizens before personal data about customers from Vermont can be shared with others. Insurance trade groups retaliated by filing suit on January 30, 2002, and threatening price increases (Thibodeau, 2002). In response to industry complaints, Elizabeth Costle, Commissioner of the Vermont Department of Banking, Insurance, Securities, and Health Care Administration, stated, "The industry can just assume that everyone with a Vermont ZIP code has opted out. That's the easy way to fix your computers" (Thibodeau, 2002, p. 16). Vermont's rules are a broader application of the state's existing banking privacy laws and not a result of legislature action (Thibodeau, 2002, p. 16). The insurance industry argues in its suit that the banking commission usurped legislative authority. Opt-in requires companies to convince consumers of the benefits of sharing their personal information with others. Vermont is not alone concerning "opt-in." According to the Internet Alliance, 13 states have pending opt-in privacy bills: Arkansas, California, Florida, Hawaii, Illinois, Iowa, Massachusetts, Minnesota, Missouri, North Dakota, New Hampshire, New Jersey and New York (Thibodeau, 2002). New Mexico is considering regulatory action similar to Vermont's. When acquiring data to mine, differences in state laws and regulations like Vermont's opt-in policy will play a role in acquiring data that can be legally used.

Children's Online Privacy Protection Act (COPPA)

To protect children's privacy online, the Children's Online Privacy Protection Act (COPPA) was created, with final legislation going into effect on April 21, 2000. It regulates the collection of personal information from individuals under the age of 13. The Federal Trade Commission (FTC) has been charged with issuing and enforcing rules concerning COPPA. COPPA was the first act involving government regulation solely for the Internet. Because of this law, websites must get parental permission before collecting or using personal information from children. Websites must have a privacy policy that explains what information is collected, how it is collected, and how it will be used. This privacy policy must be in plain view on the website. If a company makes a material change in its privacy policy, it must obtain consent from all parents again. COPPA applies to commercial websites and online services that target and collect information from children. The Act also applies to operators of general sites who have actual knowledge that they are collecting information from children under 13 years of age. Under the COPPA guidelines, operators of such sites must adhere to the following guidelines (FTC Website, http://www.ftc.gov/privacy/coppafaqs.htm):

  1. post clear and comprehensive Privacy Policies on the website describing their information practices for children's personal information;

  2. provide notice to parents, and with limited exceptions, obtain verifiable parental consent before collecting personal information from children;

  3. give parents the choice to consent to the operator's collection and use of a child's information while prohibiting the operator from disclosing that information to third parties;

  4. provide parents with access to their child's personal information to review and/or have it deleted;

  5. give parents the opportunity to prevent further collection or use of the information; and

  6. maintain the confidentiality, security, and integrity of information they collect from children.

In addition, operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

After a three-year effort by the FTC to identify and educate the industry and the public about privacy issues, the FTC recommended that Congress enact legislation protecting children. A March 1998 survey of 212 commercial children's websites found that "while 89% of the sites collected personal information from children, only 24% posted privacy policies, and only 1% required parental consent to the collection or disclosure of children's information" (FTC, 1999).

Ignorance of the law is not a defense in a court of law. If you are caught violating COPPA, you can be fined up to $11,000 per child per incident. Non-profit organizations, however, are exempt from COPPA. For more information about COPPA, you can visit the following sites: http://www.ftc.gov/kidzprivacy, http://www.kidsprivacy.org/, and http://www.cdt.org/.

USA Patriot Act of 2001

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act of 2001 is not a single new law but rather an omnibus piece of legislation that amends dozens of existing laws (Fausett, 2001, p. 10). Hence, if you read the text of the Act without a copy of the United States Code close at hand, it will make no sense whatsoever. According to M. Scott (2001), the act:

"greatly expands the right of law enforcement officials to wiretap the Web, including information transmitted over the Internet, corporate in-house networks and voice mail systems. It also lets them search stored e-mails and voice mails to collect evidence that may be useful in prosecuting criminals, including terrorists." (p. 82)

Unlike the Electronic Communications Privacy Act that requires a subpoena or search warrant, Section 212 of the Patriot Act "lets a system operator voluntarily disclose customer information along with the content of stored e-mail messages to a governmental entity if the provider reasonably believes that an emergency involving immediate danger of death, or serious physical injury to any person justifies disclosure." (M. Scott, 2001, p. 82). Section 210 of the Act requires an e-mail system operator to disclose the means or source of payment for the provider's services, records of session times and durations, and any temporarily assigned network addresses. The hope is that such information may help locate terrorists and those who fund them. This Act can provide a wealth of information on suspected criminals and terrorists that law enforcement agencies can merge with other data overlays to data mine in order to better identify candidates for intense scrutiny.

International Laws

Many nations have data protection laws that attempt to ensure an individual's privacy rights. These include but are not limited to:

  • The Russian Federation Law on Information, Informatization, and Information Protection of 1995

  • The U.K. Data Protection Act of 1998

  • The New Zealand Privacy Act of 1993

  • The 1995 EU Data Protection Directive

  • The Hong Kong Personal Data (Privacy) Ordinance of 1996 (see http://www.pco.org.hk/)

  • The Estonia Personal Data Protection Act in June 1996

The Electronic Privacy Information Center (EPIC) and Privacy International reviewed the state of privacy in over fifty countries around the world ("Privacy & Human Rights, 2000," 2000). The report found many countries around the world are enacting comprehensive data protection laws.

Other nations, such as China and India, have no general data protection laws enacted, although data privacy is referred to in a few regulations in both countries. Interestingly, however, the Chinese Constitution proclaims citizens have limited rights to privacy even though few laws limit government actions. For example, Article 37 of its constitution provides that the freedom of citizens of the People's Republic of China is inviolable, and Article 40 states: "Freedom and privacy of correspondence of citizens of the People's Republic of China are protected by law." However, whenever technological advancements seem on the brink of loosening the government's grip over its citizens, the Chinese government uses all its power to either suppress the technology or mold it to fit its own political agenda. For readers who are interested in exploring international laws pertaining to privacy and data protection, see http://www.privacyinternational.org/survey/.

Laws and Data Mining

The majority of laws that safeguard the privacy of consumers are positive for society because they make people feel comfortable providing information as well as purchasing or renting material, and this helps the economy. However, the downside of any database is that it is never totally secure from "the outside." Many of these laws pertain to the collection and dissemination of data. Companies interested in data mining must respect these restrictions. Despite these legal developments, there are still questions that remain open for debate. Table 4 lists some of the more pertinent questions.

Table 4: Issues surrounding data mining that are open for debate despite legal developments

  • Society has a right and an obligation to protect itself, even if this results in violating an individual's privacy. However, what is required for society to adequately and irrepressibly protect itself?

  • At what level are people willing to give up privacy for the sake of security?

  • If an organization purchases data from another organization that gathered it illegally and then mines that data, what are the legal and ethical ramifications for that organization?

  • When an organization must share data with a third party in order to provide an individual goods or services, to what extent is that organization legally obligated to ensure that the third party does not mine that data?

  • With the increased value and usage of data by organizations, what legal mechanisms should be in place to enforce laws and regulations?

  • Can a video store mine the rental transaction data of its customers to create customer profiles that could then be sold to others?

  • If a company voluntarily discloses in good faith (under Section 212 of the USA Patriot Act of 2001), customer information along with the content of stored e-mail messages to a government agency when it reasonably believes an emergency exists, does the law give that organization immunity from a subsequent lawsuit from the e-mail user?

  • What legal obligation does an ISP have if, through mining its own logs, it believes it has identified either criminal or terrorist activity?

Brought to you by Team-Fly


Data Mining(c) Opportunities and Challenges
Data Mining: Opportunities and Challenges
ISBN: 1591400511
EAN: 2147483647
Year: 2003
Pages: 194
Authors: John Wang

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net